Reputation: 31060
prevent bruteforcing of captcha
My site uses captcha of 6 digits, however if the attacker try all combinations, chances are he will successfully submit the form fraction of the times.(1/million in theory, much more in practice since the random number generator I use is not truely random).
Is there anyway I can further prevent him from succeeding? One way is to prevent anyone from form submission for 5 minutes after a certain number of tries(eg.20), the problem is that if I store the number of tries in session, and the attacker creates a session for every try(naturally since he uses a program, not a browser), then it would not work. And I don't want to modify existing db schema to accommodate this logic.
Another way is to increase the number of captcha character used, which causes user inconvenience.
All advises are welcome.
Upvotes: 3
Views: 365
Answers (3)
Reputation: 20496
regenerate a new number after each attempt, or after x attempts =D
Upvotes: 3
Reputation: 11223
I would recommend adding letters. That will make brute force much harder, than adding more digits.
EDIT: You can also, slow done the answers after getting some incorrect attempts. Add for example, 5 min delay.
Upvotes: 2
Reputation: 839044
Check the IP addresses of incoming connections. If the same IP address tries too many times, rate limit them harshly and if it continues for a long time, block them completely.
Of course it's not a perfect solution, but it will make it more difficult.
Upvotes: 2
Related Questions
- Best way to limit (and record) login attempts
- Stop spam without captcha
- alternative captcha methods
- How to prevent automatic change of captcha in BotDetect captcha?
- strategy to defeat CAPTCHA bypass
- invisible captcha
- Throttle free look-ups – prevent outright data theft
- "CAPTCHA" - making a version that is easier
- Human verfication
- CAPTCHA Validation